Maintaining PCI Compliance for Your Magento Store

Target. Home Depot. TJX Companies. What do they all have in common? Data breaches.

Data breaches can be debilitating to a company’s reputation and health. For example, the December 2013 data breach at Target resulted in a 46% decline in profits and cost the company $146 million in data breach-related expenses.[1]The business risks of security breaches are too great to ignore.

As a merchant, it is your obligation to maintain a secure environment for processing, storing, or transmitting your customers’ credit card data. The requirements to do so are outlined by the Payment Card Industry Data Security Standard, or PCI DSS. By following these requirements, your customers can have confidence that they’re protected against the risks of data breaches.

An easy and cost saving solution for those on the Magento platform to remain PCI compliant is Magento’s Secure Payment Bridge.[2]This application is separate from the Magento Enterprise platform, which is beneficial because:

Only the application has to be compliant rather than the whole platform

You can update to a newer version of Magento Enterprise without affecting the compliance of the Secure Payment Bridge

Magento’s Secure Payment Bridge works by storing credit card information and sending a token to the Magento instance. This is secure because someone would need to know the token for a particular user along with the payment bridge credentials. If the payment bridge is ever compromised, you can setup a new instance which will generate new credentials to be used in the Magento instance. This ensures that credit card information is still secure.

The Secure Payment Bridge is certified by a Qualified Security Assessor (Trustwave), as required, and meets the following twelve requirements mandated by the PCI DSS:

Install and maintain a firewall configuration to protect cardholder data

Do not use vendor-supplied defaults for system passwords and other security parameters

Protect stored cardholder data

Encrypt transmission of cardholder data across open, public networks

Use and regularly update anti-virus software

Develop and maintain secure systems and applications

Restrict access to cardholder data by business need-to-know

Assign a unique ID to each person with computer access

Restrict physical access to cardholder data

Track and monitor all access to network resources and cardholder data

Regularly test security systems and processes

Maintain a policy that addresses information security

While Magento Secure Payment Bridge adheres to the above requirements, it is important to note that the application must be implemented in a PCI DSS compliant environment. To learn more about PCI compliance, please visit: www.pcisecuritystandards.org

Mark Hodge is a Senior Applications Engineer at Lyons Consulting Group. Mark is an alum of DeVry University-Illinois where he earned his BS in Computer Science. Mark is also Magento Certified Developer Plus Engineer.

[1]Home Depot: Could The Impact Of The Data Breach Be Significant? (2014, September 24). Forbes. Retrieved from http://www.forbes.com/sites/greatspeculations/2014/09/24/home-depot-could-the-impact-of-the-data-breach-be-significant/

Ever since the JavaScript expert Douglas Crockford wrote that JavaScript is “Lisp in C’s Clothing,” interest in the functional side of JavaScript has exploded. Nowadays there are many libraries (and […]

Let's discuss the next step in your commerce journey.

ABOUT LYONSCG

Lyons Consulting Group (LYONSCG) is a leading digital agency and global commerce service provider. From creative to technology to marketing, we offer a comprehensive set of services to help retailers and brands craft successful digital commerce strategies, put them into practice, and continually optimize them for long-term success. LYONSCG is part of the Capgemini Group.